Computer-security researchers have estimated that up to 50% of computer-security threats have some form of shared-object-based component. These threats typically “inject” malicious shared objects (e.g., DLLs) into otherwise legitimate processes. The malicious code contained within the injected shared object may then perform malicious actions under the cover of an otherwise legitimate process.
For example, a malware developer may register a malicious DLL (by, for example, tricking a user into running a malicious executable file or by exploiting a buffer overflow in a legitimate application) for loading by an otherwise legitimate application, such as MICROSOFT WORD for WINDOWS. In this example, when MICROSOFT WORD loads, the malicious DLL will also load and launch, potentially scheduling background threats that launch attacks directly from the process space associated with MICROSOFT WORD.
Because the code contained within malicious DLLs may run under the cover of an otherwise legitimate process, it is sometimes difficult to detect and eliminate malicious DLLs without also harming their legitimate host process. As such, the instant disclosure identifies a need for systems and methods for detecting and eliminating shared-object-based security threats.